Anthem’s Breach damages Customer Confidence

10th Feb 2015

If your organisation uses on-line customer interaction, you need to take note of customer sentiment regarding data breaches. This holds true for all breaches, whether they involve your organisation or not. This is because there is a real difference between the annoyance of having to order new debit/credit cards and the violation of having their medical details used to sell your customers other services or dupe them into thinking they are dealing with your organisation or an authorised subsidiary.

Information coming from the Anthem attack indicates that the breach was facilitated using a stolen set of Privileged User credentials. Although there are accusations of lax IT management (no data level encryption), in fact Anthem were in reasonable shape at the time of the attack, they had a strong password policy and a semblance of a least privileged model, also the detection was near immediate. What’s special about this attack is that the Malware (APT) targeted particular users, those that could access the customer information.

Anthem breaks all records at 80 million records stolen, they’ve even set up a specific website to deal with the apology and handle FAQs AthemFacts .

The Anthem attack comes right on the heels of other serious breaches, Law Makers feel there needs to be a change and Lawyers are sensing blood in the water [Morris v. Anthem Inc., 15-cv-00196, U.S. District Court, Central District of California (Santa Ana)].As these attacks become more prevalent, its not a case of losing your customers to competitors, its a case of customers not wanting to give the information in the first place and therefore avoiding doing business. Therefore it’s an industry wide problem, and one that needs addressing across the whole spectrum of IT and Business operations.

Since Osirium is in the business of Privileged User Management it seems obvious that there is a need to separate people from passwords, password managers are no protection against interception and scraping attacks. In particular to ensure that the credentials of secure systems never pass through the workstations of privileged users. If you consider the The 2014 Verizon Data Breach Investigations Report you’ll see that the top four threats are based on either technical or social methods of stealing credentials.